On October 16, 2017, a statement from the International Consortium for Advancement of Cybersecurity on the Internet (ICASI) was released alerting the industry to a series of vulnerabilities for WPA and WPA2. These vulnerabilities are at the protocol-level and affect a large number of wireless infrastructure devices and wireless clients, across many vendors. This security flaw means that, for vulnerable clients and access points, WPA and WPA2-encrypted Wi-Fi traffic is no longer secure until certain steps are taken to remediate the issue. The Wi-Fi data stream, including passwords and personal data, can be intercepted, decrypted, and modified without a user’s knowledge. WatchGuard’s Wi-Fi access points and Wi-Fi enabled appliances are affected by these vulnerabilities. Following is detailed information about the vulnerabilities, which WatchGuard products are affected, and timing for patches.

Who is affected by these vulnerabilities?
Any Wi-Fi client or access point that utilizes the wpa_supplicant or hostapd Open Source software packages in the authentication process may be affected by these vulnerabilities. These are widely used software packages across the industry, so the vast majority of devices will be affected. The ICASI statement linked above includes many, but not all, affected vendors. Organizations that use wireless access points (APs) relying on WPA or WPA2 encryption, and mobile users who connect to Wi-Fi networks with smartphones, tablets, laptops, and other devices, should implement the necessary patches applicable to these vulnerabilities.

How many/what type of vulnerabilities are there?
Refer to the ICASI list of vulnerabilities and Common Vulnerability and Exposure (CVE) identifiers here.

How do the WPA and WPA2 vulnerabilities work?
A malicious user could inject specially-crafted packets into the middle of the WPA/WPA2 authentication handshake, forcing installation of a key known to—or controlled by—the attacker. This results in the possibility of decrypting and/or modifying client traffic. Traffic already protected by a higher-level encryption protocol, such as HTTPS, VPNs, or application encryption would not be impacted.

Depending on the specific device configuration, successful exploitation of these vulnerabilities could allow unauthenticated attackers to perform packet replay, decrypt wireless packets, and to potentially forge or inject packets into a wireless network. This is accomplished by manipulating retransmissions of handshake messages.

When an adversary manipulates certain handshake messages over the air, the exploit results in reuse of some packet numbers when handshakes are performed. The reuse of packet numbers violates the fundamental principle on which the strength of WPA2 encryption and replay security is based. The principle is that for a given key hierarchy, PTK, GTK and IGTK, packet numbers in two original (non-retransmits) packet transmissions protected by them cannot be repeated. For packet pairs where this assumption is violated, it is possible to determine the content of one packet if the plaintext of the other packet is known or can be guessed. Packet number can also permit adversary to replay old packets to the receiver.

Do these vulnerabilities represent a protocol design failure of WPA2?
No, the failure is with the wpa_supplicant or hostapd Open Source software packages, and is not a protocol design failure of WPA2.

Which WatchGuard products were affected?

Access Points: AP100, AP102, AP120, AP200, AP300, AP320, AP322, AP420

Appliances: XTM 25-W, 26-W, 33-W; Firebox T10-W, T30-W, T50-W

How can WatchGuard partners and customers access patches / updates that address these vulnerabilities?
Patches will be available for Fireware, WatchGuard legacy and current APs, and for WatchGuard Wi-Fi Cloud via the following releases and estimated timing (subject to changes, monitor this blog for patch updates):
Sunday, October 15, 2017:

AP120, 320, 322, 420: Release 8.3.0-657, Cloud mode only

Monday, October 30, 2017:

Fireware: Release 12.0.1

Legacy AP:

AP300: Release 2.0.0.9

AP100, 102, 200: Release 1.2.9.14

AP120, 320, 322, 420: Release 8.3.0-657, Non-Cloud (GWC mode)

Have any of WatchGuard’s customers or partners been negatively impacted by these vulnerabilities?
No, we are not aware of any WatchGuard customers or partners who have been negatively impacted by these vulnerabilities.

What is WPA2?
WPA2 (802.11i) is currently the standard for link layer security in Wi-Fi networks. It uses either 802.1x (EAP) or shared key (PSK) based authentication. In 802.1x, the client is authenticated from a backend RADIUS server when setting up a wireless connection. During the authentication process, the client and the RADIUS server generate a common key called Pairwise Master Key (PMK). The PMK is sent from the RADIUS server to the AP over a secure wired network. In PSK, the PMK is statically installed in the client and the AP by entering the same passphrase (password) on both sides. The PMK is then used to generate a hierarchy of keys to be used for encryption and integrity protection for data sent over wireless link between the AP and the client.

The protocol to generate the key hierarchy from PMK is called an EAPOL 4-Way Handshake. It is used to derive the following keys:

Pairwise Transient Key (PTK), used to encrypt unicast communication between AP and client. PTK is derived and installed by the AP and the client at the time of setting up a wireless connection. It is refreshed during the connection after pre-configured time has passed. It is also refreshed when client roams between APs using fast transition (FT) protocol.

Group Transient Key (GTK), used for encrypting broadcast and multicast messages from APs to clients. A GTK is generated and maintained by the AP. It is securely delivered by the AP to the client at the time of setting up a wireless connection.

Integrity Group Transient Key (IGTK), used for providing integrity for broadcast and multicast management messages (called management frame protection or MFP) transmitted from the AP to the client. IGTK is generated and maintained by the AP. It is securely delivered by the AP to the client at the time of setting up a wireless connection.

The keys (GTK and IGTK) are refreshed when a client leaves the AP and the new keys are distributed to all remaining clients using a protocol called Group Key Handshake.

What is WPA?
Wi-Fi Protected Access (WPA) is a security protocol and security certification system developed by the Wi-Fi Alliance in response to weaknesses found in the previous system, Wired Equivalent Privacy (WEP). This was an intermediate measure taken in anticipation of the availability of the more complex and secure WPA2. WPA is obsolete and insecure, and WatchGuard recommends that all customers use WPA2, and not WPA.

Is there a method to protect patched devices against unpatched devices?
WatchGuard is providing patches for all of our affected products, and for non-WatchGuard appliances, users should refer to their Wi-Fi device vendor’s website or security advisories to determine if their device has been affected and has an update available.

Firedot Highlight Reports

Getting threat intelligence into your existing security products – SIEMs, endpoints, network tools — can significantly enhance their effectiveness. Here at Anomali we understand the value of product integrations, so much so that my entire job is to manage the 30+ we currently offer. Recently we launched a feature that allows you to create your own threat […]

The intelligence in this week’s iteration discuss the following threats: Compromised server, Cryptocurrency miner, Data theft, Malspam, Phishing, Targeted attacks, Underground markets, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity. Trending Threats Olympic Destroyer Takes Aim At Winter […]

In our last post, we talked about how companies can use the concept of a No-Fly list to keep malicious actors out of their networks. So how does a cyber No-Fly list work in a real situation? We spoke with one of our customers, Alaska Airlines, about how they make the most of threat intelligence […]

My name is Teddy Powers. I have worked for Anomali (formerly ThreatStream) for almost the last three years and it’s been one of the best experiences of my life. But if you looked at my résumé or LinkedIn, much like anyone else, you’d do a double take. How in the world did he score a […]

North Korea, or more formally, the Democratic People’s Republic of North Korea (DPRK), is no stranger to international headlines. Most notably, it has captured attention in recent years for its nuclear testing and ballistic missile launches. Events in the cyber landscape have brought negative attention to North Korea as well. The United States officially blamed […]